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Abstract. Numerical algorithms lie at the heart of many safety-critical 
aerospace systems. The complexity and hybrid nature of these systems 
often requires the use of interactive theorem provers to verify that these 
algorithms are logically correct. Usually, proofs involving numerical com- 
putations are conducted in the infinitely precise realm of the field of real 
numbers. However, numerical computations in these algorithms are often 
implemented using floating point numbers. The use of a finite representa- 
tion of real numbers introduces uncertainties as to whether the properties 
verified in the theoretical setting hold in practice. This short paper de- 
scribes work in progress aimed at addressing these concerns. Given a 
formally proven algorithm, written in the Program Verification System 
(PVS), the Frama-C suite of tools is used to identify sufficient conditions 
and verify that under such conditions the rounding errors arising in a C 
implementation of the algorithm do not affect its correctness. The tech- 
nique is illustrated using an algorithm for detecting loss of separation 
among aircraft. 


1 Introduction 

Virtually every aerospace application is composed of numerical algorithms. The 
mathematics in these algorithms is both continuous and discrete. The hybrid 
nature of aerospace applications often means that interactive theorem provers are 
required to reason about their logical correctness. As the models and algorithms 
are refined into an implementation, care must be taken so that assumptions made 
in the abstract models are not violated by the implementation. Of particular 
concern are the issues that arise when moving from the infinitely precise field 
of real numbers to an implementation using a floating point representation [4,8] 
such as the IEEE 754 standard [5]. It is well-known that overflows, underflows, 
and accumulated rounding errors in floating point arithmetic can produce results 
that significantly differ from the ideal. Hence, properties that were demonstrated 
to hold in the abstract models may be violated in a concrete implementation. 
Therefore one cannot assert that theorems proven in the setting of the real 
numbers carry over to the implementation without additional arguments. 

The domain of application of the case study in this paper is air traffic man- 
agement (ATM) . Advances in surveillance and communication systems allow for 
ATM concepts where computer programs provide safety-critical functionality. 



For instance, the self-separation operational concept proposed by NASA [10] 
relies on airborne conflict detection and resolution (CD&R) systems that assist 
pilots and air traffic controllers to maintain safety in the airspace by keeping 
aircraft separated. Computer-based separation assurance systems are critical el- 
ements of air/ground distributed operational concepts for the next generation of 
air traffic management systems. 

The Formal Methods group at NASA Langley has developed the Airborne 
Coordinated Conflict Resolution and Detection (ACCoRD) formal framework for 
reasoning about aircraft separation assurance systems. 3 The framework, which is 
written in the Program Verification System (PVS) [9], consists of more than 1500 
lemmas and includes formally verified algorithms for conflict detection, conflict 
resolution, conflict recovery, loss of separation recovery, and conflict prevention 
bands. This paper reports work in progress on a verification approach that is 
being applied to formally prove the correctness of the C implementations of some 
of these algorithms. 

2 Conflict Detection 

This paper concerns a conflict detection algorithm, namely CD2D, developed 
by NASA as part of the ACCoRD framework. CD2D is pairwise state-based 
2-D conflict detection algorithm. Pairwise refers to the fact that CD2D only 
considers two aircraft called the ownship and the intruder. State-based refers to 
the use of an Euclidean airspace where the aircraft fly at constant velocity. In 
particular, in CD2D, the position and velocity of the ownship are represented 
by 2-D position s Q = ( s ox ,s oy ) and vector v Q = (u ox , i> oy ), respectively, and 
the position and velocity of the intruder are represented by s = (s«, s ly ) and 
v i = ( Vi X , Viy), respectively. As it simplifies the mathematical development, most 
definitions in ACCoRD use a relative coordinate system where the intruder is 
static at the center of the system. In this relative system, the ownship is located 
at s = s Q — s,; and moves at relative velocity v = v Q — v.j. 

In air traffic management, a loss of separation is a violation of the separation 
requirement between two aircraft. If the vertical dimension is ignored, the sepa- 
ration requirement is given by a minimum horizontal distance D. A conflict is a 
predicted loss of separation within a lookahead time T. In this paper, D and T 
are global constants. Loss of separation and conflict are formalized in ACCoRD 
as follows. 

los?( s) = yj s§ + s® < D , conflict? ( s, v) =3 0 <t< T : los?( s + tv). 

The PVS function cd2d, that models the CD2D algorithm, takes as parame- 
ters the state of the aircraft, i.e., s D , v D , s.j, v, ; and returns a Boolean value that 
indicates whether or not a loss of separation with respect to the minimum dis- 
tance D is predicted to occur within the lookahead time T. 

3 http : / / shemesh. larc .nasa.gov/people/ cam/ ACCoRD. 



- Si, V = 


cd2d(s a , v Q , Sj, = let s = s 0 


v Q — Vj in los!( s) or w(s, v) < 


where w is a continuous function that characterizes conflicts. It is defined as 
follows. 


^ ^ f s • v if s 2 = D 2 , 

1 v 2 s 2 + 2r(s • v) + r 2 (s, v) — D 2 v 2 otherwise, 

where r(s, v) = min(max(0, — (s • v)),Tv 2 ). When v 2 7^ 0, denotes the 

time of closest approach for the aircraft and + D denotes the minimum 

distance. 

The ACCoRD development has a formal proof that the function cd2d is sound 
and complete with respect to the predicate conflict ?, i.e. , that the following 
statement holds. 

Proposition 1. Given a distance D > 0 and a lookahead time T > 0, for all 
vectors s = s„ — s* and v = v c — v*, 

(soundness) If conflict 2 ( s, v) holds then cd2d(s 0 , v G , s*, v*) returns true. 
(completeness) If cd2d(s 0 , v c , s*, v*) returns true then conflict! (s, v) holds. 

Soundness and completeness are closely related to the concepts of missed- alerts 
and false-alerts , respectively. 

It should be noted that the theoretical development presented in this section 
assumes infinite precision real numbers and does not consider physical limitations 
of the aircraft. In a concrete implementation of the CD2D algorithm, those 
considerations become significant. In particular, arbitrary large/small numbers 
in the presence of floating point numbers and the use of floating point arithmetic 
introduce uncertainties as to whether properties verified in the ideal theoretical 
setting, such as Proposition 1, hold in practice. 


3 Verification in Practice 

In order to formally prove a statement such as Proposition 1 for a C program, 
it is necessary to have a verification environment that provides a specification 
language supporting both real numbers and floating point arithmetic and that 
easily integrates with automated and interactive theorem provers. Frama-C is an 
open-source framework developed at CEA comprising a suite of tools for static 
analysis of C programs in the form of plugins implementing abstract interpreta- 
tion, slicing, and deductive verification engines. In particular, Frama-C uses the 
deductive verification plugin Jessie [6], which generates verification conditions 
for C programs. These verification conditions are submitted to different theorem 
provers via the Why3 back-end [2] . In particular, Why 3 connects to the Gappa [7] 
tool, which specializes in verifying properties of numerical programs. Frama-C 



supports annotations written in the ANSI C Specification Language (ACSL) [1], 
an assertion language for specifying behavioral properties of C programs in a 
first-order logic. As PVS, ACSL supports mathematical expressions over the 
real numbers. Furthermore, ACSL has a built-in model of IEEE-754 arithmetic 
including the rounding modes, casts, and infinity. The analysis presented here as- 
sumes IEEE-754 in strict form, i.e. , the generated verification conditions ensure 
no overflows or special values, and rounding to nearest with ties to even. 

A straightforward C implementation of cd2d does not satisfy Proposition 1 
due to the use of floating point arithmetic in C. Indeed, in the presence of com- 
putation errors, it is impossible to write a program that satisfies both correctness 
and completeness. In practice, there is a trade-off between soundness and com- 
pleteness in any implementation of a conflict detection algorithm. From a safety 
point of view, soundness is usually considered the more desirable of the two prop- 
erties since it eliminates the possibility for missed-alerts. Therefore, the target 
property for the verification presented here is soundness. However, it should be 
noted that completeness also has safety implications. For example, a program 
that always returns true would be trivially sound. Of course, such a program 
will have an unacceptable rate of false alerts and quickly erode the trust that a 
pilot may have on these kinds of systems. 

This paper proposes a systematic construction of a C program, namely cd2d, 
from its PVS counterpart, namely cd2d , that is provably sound. The proof is 
conducted in the Frama-C environment and reuses Proposition 1 and other core 
geometric properties proved in PVS. The construction of cd2d starts by trans- 
lating every real-valued function / involved in the definition of cd2d into an 
identical logical ACSL function / and into a C function f. Function / uses real 
number arithmetic, while function f uses floating point arithmetic. The spec- 
ification of the function f states that the absolute error of the floating point 
computation is bounded by a given positive constant e/, i.e., | f{x) — f (ar) | < e/. 
Here only the C basic types double and int are used for the translation. There- 
fore, vectors are represented by their components. For instance, the function r, 
used in Formula 2, is translated into ACSL-annotated C code as follows. 4 

/*@ logic real tauR(real s_x,real s_y,real v_x,real v_y,real t) = 

0 dmin (dmax(0. , — dotR ( s_x , s_y , v_x , v_y ) ) , t*sqvR ( v_x , v_y ) ) ; 

©*/ 

/*@ requires —100. <= s_x <= 100. && . . . ; 

@ ensures \abs(\result — tauR ( s_x , s_y , v_x , v_y ,T) ) <= E_tau ; 

©*/ 

double tau(double s_x, double s_y, double v_x , double v_y) { 
return min (max(0, — dot ( s_x , s_y , v_x , v_y ) ) , T*sqv ( v_x , v_y ) ) ; } 

In ACSL, the precondition is denoted by the keyword requires, while the 
postcondition is denoted by the keyword ensures. By convention, real number 

4 Logical definitions in ACSL cannot refer to C constants. Hence, t has been added as 
a parameter to tauR. 



functions are written with the postfix R. If function f is proven to satisfy its 
specification for a certain value of ef, this value is propagated into the specifi- 
cation of functions and Boolean conditions that depend on f . At the end of the 
process, the cd2d function is written as follows. 

int cd2d( double so_x, double so_y, double vo_x, double vo_y , 

double si_x, double si_y, double vi_x , double vi_y) { 
double s_x = so_x — si_x; double s_y = si_x — si_y; 
double v_x = vo_x — vi_x; double v_y = vi_x — vi_y; 
return los(s_x,s_y) || omega( s_x , s_y , v_x , v_y ) < E_cd2d; } 

In order to appropriately bound the values of the input variables, a system 
of units needs to be chosen. As usual in air traffic management, distances are 
given in nautical miles, speeds are given in knots (nautical miles per hour), and, 
for unit consistency, times are given in hours. Typical bounds for state-based 
separation assurance algorithms such as CD2D are |so_x|, |so_y|, |si_x|, |si_y| < 
100 nautical miles and |vo_x|, |vo_y|, |vi_x|, |vi_y| < 600 knots. Furthermore, the 
constants D and T are set to 5 nautical miles and 0.083 hours (about 5 minutes), 
respectively. 

An approach to verify that cd2d verifies soundness consists in replaying the 
soundness proof of cd2d and adapting, on this process, every proof step to deal 
with floating point inaccuracies. This paper takes a different approach. Since 
the PVS function cd2d is known to be sound and complete, soundness of cd2d 
is equivalent to the following proposition. 

Proposition 2 (Soundness of cd2d). Given the specified values of D and T, 
for all so_x, so_y, si_x, sijy, vo_ x, vo_y, vi_x, vi_y that satisfy the specified 
bounds, if cd2d(so_x, so_y, vo_x, vo_y, si_x, si_y,vi_x,vi_y) returns true , then 
cd2d(so_x, so_y ,vo-X,vo-y , si-X, si_y ,vi-X,vi-y) returns 1. 

This leaves the question of how to find the error bounds for each /, i.e., e/. 
Sophisticated analytical techniques exist for estimating rounding errors [3] and 
while these are needed to analyze more complex computations, in many cases 
it is possible to exploit the capability of Frama-C to quickly and automatically 
prove assertions to discover an appropriate value for e/. The process implements 
a search by dichotomy, hinging on the provability of the proof assertions. 

Beginning with an initial estimate for ey, the Frama-C /Jessie plugin is in- 
voked generating a number of verification conditions. If the automated prover 
cannot show that ef is a good bound, the value of e/ is increased. On the other 
hand, if the provers show that the bound holds, the value of e/ is decreased. 
The process continues until convergence on a tight bound. In the case of tau, 
the initial value of E_tau was set to 2 -30 , but the Gappa solver on the back-end 
could not prove the postcondition. Next, E_tau was set to 2 -10 , which the solver 
easily discharged. The dichotomy process eventually reached a bound on an ab- 
solute error of 2 -21 . Proposition 2 is formally verified in Frama-C for the value 
E_cd2d = 2 X 2 -1 . 



4 Conclusion 


This work in progress contributes a methodology for proving the correctness 
of implementations of numerical programs whose soundness and completeness 
have already been demonstrated in the ideal setting of real numbers. In particu- 
lar, the approach proposed here focuses on discovering and proving the bounds 
on floating-point rounding errors that can invalidate in practice the theorems 
proven on reals. As a first case study, the technique was applied to candidate 
algorithms in the ACCoRD framework. These algorithms feature strong cor- 
rectness conditions, use only bounded loops and conditionals, and employ well 
behaved mathematical operations. In addition, the algorithms have well defined 
bounded input, and units were chosen that kept the magnitude of the computed 
values from growing big enough to produce large rounding errors. Future work 
will apply the approach to more sophisticated programs and consider relative 
error in addition to the absolute error. Also, the task remains to validate the 
safety implications of the error bounds shown in the paper. As the methodology 
evolves, the Frama-C tool support is expected to evolve by incorporating new 
algorithms and plugins to aid in the verification of numerical programs. 
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